Your message dated Tue, 04 Feb 2020 16:35:05 +0000 with message-id <e1iz1ah-000fql...@fasolo.debian.org> and subject line Bug#950581: fixed in python-django 2:2.2.10-1 has caused the Debian Bug report #950581, regarding python-django: CVE-2020-7471: Potential SQL injection via StringAgg(delimiter) to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 950581: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=950581 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: python-django Version: 2:2.2.9-2 Severity: grave Tags: security upstream Justification: user security hole Control: found -1 1:1.11.27-1~deb10u1 Hi, The following vulnerability was published for python-django. CVE-2020-7471[0]: | Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 | allows SQL Injection if untrusted data is used as a StringAgg | delimiter (e.g., in Django applications that offer downloads of data | as a series of rows with a user-specified column delimiter). By | passing a suitably crafted delimiter to a | contrib.postgres.aggregates.StringAgg instance, it was possible to | break escaping and inject malicious SQL. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-7471 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7471 [1] https://www.djangoproject.com/weblog/2020/feb/03/security-releases/ Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: python-django Source-Version: 2:2.2.10-1 We believe that the bug you reported is fixed in the latest version of python-django, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 950...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Chris Lamb <la...@debian.org> (supplier of updated python-django package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Tue, 04 Feb 2020 17:19:01 +0100 Source: python-django Built-For-Profiles: nocheck Architecture: source Version: 2:2.2.10-1 Distribution: unstable Urgency: medium Maintainer: Debian Python Modules Team <python-modules-t...@lists.alioth.debian.org> Changed-By: Chris Lamb <la...@debian.org> Closes: 950581 Changes: python-django (2:2.2.10-1) unstable; urgency=medium . * New upstream security release. (Closes: #950581) <https://www.djangoproject.com/weblog/2020/feb/03/security-releases/> * Bump Standards-Version to 4.5.0. Checksums-Sha1: 254e06173d4dab9d1b58e0bfec92b7593e42a3ed 2777 python-django_2.2.10-1.dsc 86b0f5160b52cc4330d17cd69090f7f240c9fb47 8865888 python-django_2.2.10.orig.tar.gz f96689c16794a8945dcb7bdaf510d45c35d4f4ba 25904 python-django_2.2.10-1.debian.tar.xz 943cff2750967caea7830dd6bc2ff7b7940e0dbc 7619 python-django_2.2.10-1_amd64.buildinfo Checksums-Sha256: e96c6fe7c03379b3159566ab238674b00063b5ce1da9f52e45a7374da3dc81d6 2777 python-django_2.2.10-1.dsc 1226168be1b1c7efd0e66ee79b0e0b58b2caa7ed87717909cd8a57bb13a7079a 8865888 python-django_2.2.10.orig.tar.gz 1d5156001874ac0e5e5693a60e63bcf42afa5e53d9112221f2968e95563ed077 25904 python-django_2.2.10-1.debian.tar.xz 9417781fba2bf62da6dd16a819ef0c82f484b1fec92dc2e425f65c92040520b9 7619 python-django_2.2.10-1_amd64.buildinfo Files: 01740bb921173edf589ad811a858ba3a 2777 python optional python-django_2.2.10-1.dsc 10f192f8565ab137aea2dda4a4cb3d26 8865888 python optional python-django_2.2.10.orig.tar.gz 902d39d823258522f7b02700507583f6 25904 python optional python-django_2.2.10-1.debian.tar.xz 295bb6a33d9cf2592e0ba0aa77ed8a54 7619 python optional python-django_2.2.10-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAl45mv0ACgkQHpU+J9Qx HlimbRAAnJJJukZjcayg417PaGOib9dA8Fvzun7fEMlJ1Zk+sGq45kGwQIOqHTa1 MYNIhs94jM/7Ttprrmc/U5zRb4K2ICv4oWD5uj29D9V15VmspJhAUglf3m5sk5Sh ydCV2HWhlnQ/+pptR+qemb7Zk6A/U12yWZkVgYX1sM4bKrKVkLmteCAT2QZrkkBJ kQET5eIK30PzOMQfICmgL48LTse9IodBDv7kdpUDyDR7WYkpKQdhb12GrMc5eGNO qRLdm+12+vbKgTbJ1cKE5w5V2Ql4gLa8FaxhwrmA71C+jZA1+exL/fCD0TyqbzQF RjkKrbB6ZyVA/b9jh4aULjO+lXfcwYFLINFnYEt4kEMiGXoKeKw3vNRpF/VbZgpz EYC2vVfc/gO8iG0GnYydddS8Aq+WyxNmcJDdKexFRQ5owVynxHbEfzMIwCIxGOnK Ru4fMNjR91TeX4UZUYb0sgIAyDXAl6qLYzqj7dt5SGyH6hElr+NZ7becq34qJJQV EVebAJL5b0oXFUaZ37zNPURw41I4M1UhrcIHNkSrw7OwyOVqtjR+jf9U5EFLCJN9 xDj8p5S59DvAzmsnlNaoQsy0AAFExkLdK7GMNpCI9zdsGVZkofuBLEcvPyRcL16V qpxMbwk/z8b5ulcJeyPBQr5JypEexD2BMb9t2+IaHi7YpyjlUjE= =OHUO -----END PGP SIGNATURE-----
--- End Message ---
